Versions 2.0.10 of Mosquitto has been released. This is a security and bugfix release.
- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. This will be updated with the CVE number when it is assigned. Affects versions 2.0.0 to 2.0.9 inclusive.
- Don't overwrite new receive-maximum if a v5 client connects and takes over an old session. Closes #2134.
- Fix CVE-xxxx-xxxx. Closes #2163.
receive-maximumto not exceed the
-Cmessage count in mosquitto_sub and mosquitto_rr, to avoid potentially lost messages. Closes #2134.
- Fix TLS-PSK mode not working with port 8883. Closes #2152.
- Fix possible socket leak. This would occur if a client was using
mosquitto_loop_start(), then if the connection failed due to the remote server being inaccessible they called
mosquitto_loop_stop(, true)and recreated the mosquitto object.